Securing Your Applications & Data

Survival In An Evolving Threat Landscape

Alexander Krakhofer

Cyberwar: The Web App Aspect

The Evolving Threat Landscape

Securing Tomorrow’s Perimeter

Agenda

The Security Trinity

Integrity

Availability

Confidentiality

Security Confidentiality “Need to know” principle of the

military ethic, restricts the access of information

Security Integrity In its broadest meaning refers to

the trustworthiness of information over its entire life cycle.

Security Availability Distinguishes information objects

that have self-sustaining processes from those that do not

Cyberwar Toolbox

Web Vandalism

Slide 4

Cyber Espionage

Disruption of Service

Gathering & Manipulating

Data

Trojan, Viruses & Worms

Attack Critical Infrastructure

The Cyber Attack Vectors

Slide 5

Large volume network flood attacks

XSS, Brute force

OS Commanding

Application vulnerability, malware

SQL Injection, LDAP Injections

Port scan, SYN flood attack

“Low & Slow” DoS attacks (e.g.Sockstress)

Network scan

Intrusion

High and slow Application DoS attacks

XML manipulations, Web Services Abuse

Leakage of Sensitive Data

Targeting Different Layers

McAfee, 2007, The Internet security report

Slide 6

Approximately 120 countries have been developing ways to use

the Internet as a weapon and target

financial markets, government computer systems and utilities.

Slide 7

July 6, 2012

Pentagon Digs In on Cyberwar Front Elite School Run by Air Force Trains Officers to Hunt Down Hackers and Launch Electronic Attacks

Cyberwar – The Web App Aspect

Slide 8

Cyberwar: The Web App Aspect

The Evolving Threat Landscape

Securing Tomorrow’s Perimeter

Web Apps are Easy to Exploit

Whole system open to attack

Can target different layers

Thousands of Web security

vulnerabilities

Minimal attention to security

during development

Traditional defences

inadequate

All they need is a

browser Slide 10

Thousands of Vulnerabilities Every Year

Slide 11

0

1000

2000

3000

4000

5000

6000

7000

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012

# of Vulnerabilities

• Source: National Vulnerabilities Database

Minutes to Compromise, Months to Discover

Slide 12

Top Web Attack Impacts

Slide 13

Source: webappsec.org

Records of sensitive information (CCN, SSN, etc.) were breached by hacking attempts only in the United States.

The population of the United States, projected to Sep 2012 is 314,324,529

Millions of Records Breached

Source of Breach

Slide 15

• Source: 7safe.com

80%

18%

2%

External

Partner

Internal

Slide 16

• Duration: 20 Days

• More than 7 Attack vectors

• “Inner cycle” involvement

Attack target: Vatican

Sophistication measure

• Duration: 3 Days

• 5 Attack vectors

• Only “inner cycle” involvement

• Attack target: HKEX

• Duration: 3 Days

• 4 Attack vectors

• Attack target: Visa, MasterCard

• Duration: 6 Days

• 5 Attack vectors

• “Inner cycle” involvement

Attack target: Israeli sites

Hacktivism - Becomes More Campaign Blend-APT Oriented

The Impact

Confidentiality

Integrity

Availability

Target / Operation

2007 2008 2009 2010 2011 2012

Habbo Hal Turner Project

Chanology

Epilepsy

Foundation

AllHipHop

Defacement

No Cussing

Club

2009 Iranian

Election

Protests

Operation

Didgeridie

Operation

Titstorm

Oregon Tea

Party Raid

Operation

Leakspin Zimbabwe Operation Payback

Avenge

Assange

Operation

Bradical

HBGary

Federal Westboro

Baptist Church

Bank of

America

Operation

Sony

Operation

Orlando Operation Iran

Operation

Anti-Security

Operation

BART

Operation

Invade Wall

Street

Toronto Stock

Exchange Operation

Stratfor Arab Spring

Activities

LinkedIn

Password

Hack

AT&T DNS

Outage

L-3 ISP

Service Saudi Aramco

Outage

Philipines

Water

Company

Cyberwar: The Web App Aspect

The Evolving Threat Landscape

Securing Tomorrow’s Perimeter

Perimeter Defense Planning

Perimeter Defense Planning

Any gap in coverage represents a vulnerability.

That will be exploited.

Perimeter Defense Planning

Emergency Response Teams & Cyber War Rooms

Required expertise during attack campaign Complex risk assessment

Tracking and modifying protections against dynamically evolved attacks

Real time intelligence

Real time collaboration with other parties

Counter attack methods and plans

Preparation with cyber “war games”

Slide 22

Attack Time

• Emergency Response

Team that “fights”

Get ready

• Audits

• Policies

• Technologies

Forensics

• Analyze what happened

• Adjust policies

• Adapt new technologies

Existing Level of

skills

Strategy

Lack of Expertise

The Best Defense Is A…

Key Notes: - Counter Attack’s Comeuppance is Upon Us - Key IR Assumptions are wrong – e.g. Law enforcement - Attack Mitigation Talent is Low. Knowledge must increase. - Corporate Policies are IR not ERT focused

Slide 24

DoS Protection

Behavioral Analysis

IP Rep.

IPS

WAF

Large volume network flood attacks

XSS, Brute force

OS Commanding

Application vulnerability, malware

SQL Injection, LDAP Injections

Port scan, SYN flood attack

“Low & Slow” DoS attacks (e.g.Sockstress)

Network scan

Intrusion

High and slow Application DoS attacks

XML manipulations, Web Services Abuse

Leakage of Sensitive Data

Mapping Security Protection Tools

Conclusion

Attackers deploy multi-vulnerability attack campaigns

Organizations deploy point security solutions

Attackers target for blind spots

Companies need a solution that:

Can defend against emerging cyber attack campaigns

Has no blind spots in network & application security

Customer success: best security solution for

Online business protection

Data center protection

Slide 26

http://edition.cnn.com/video/#/video/bestoftv/2013/01/09/exp-tsr-todd-us-banks-hacked-iran.cnn?iref=allsearch

Security report 2012

What Changed in Security in 2012?

In 2012, we saw a new cyber security trend a consistent and steady

increase in advanced and persistent DoS and DDoS attack campaigns.

These campaigns have multiple attack vectors, are longer in duration

and are more complex. Nowadays it’s common to see attacks with four,

five, or even ten attack vectors, lasting last three days, a week or even

a month. This new trend of advanced and persistent threats creates big

challenges and organizations are not prepared.

Organizations Are Bringing a Knife to a Gunfight!

Download Security report 2012 from

http://www.radware.com/Resources/rclp.aspx?campaign=1630844 !

Slide 27

16. února 2011

Alexander Krakhofer

alexanderk@radware.com

Děkujeme za pozornost.

? PROSTOR PRO OTÁZKY